Diff: rfc9374.txt - rfc9374.txt

	rfc9374.txt	rfc9374.txt

	skipping to change at line 17 ¶	skipping to change at line 17 ¶
	A. Gurtov	A. Gurtov
	Linköping University	Linköping University
	March 2023	March 2023

	DRIP Entity Tag (DET) for Unmanned Aircraft System Remote ID (UAS RID)	DRIP Entity Tag (DET) for Unmanned Aircraft System Remote ID (UAS RID)

	Abstract	Abstract

	This document describes the use of Hierarchical Host Identity Tags	This document describes the use of Hierarchical Host Identity Tags
	(HHITs) as self-asserting IPv6 addresses, which makes them trustable	(HHITs) as self-asserting IPv6 addresses, which makes them trustable

	identifiers for use as an Unmanned Aircraft System Remote	identifiers for use in Unmanned Aircraft System Remote Identification
	Identification (UAS RID) and tracking.	(UAS RID) and tracking.

	This document updates RFCs 7401 and 7343.	This document updates RFCs 7401 and 7343.

	Within the context of RID, HHITs will be called DRIP Entity Tags	Within the context of RID, HHITs will be called DRIP Entity Tags
	(DETs). HHITs provide claims to the included explicit hierarchy that	(DETs). HHITs provide claims to the included explicit hierarchy that
	provides registry (via, for example, DNS, RDAP) discovery for third-	provides registry (via, for example, DNS, RDAP) discovery for third-
	party identifier endorsement.	party identifier endorsement.

	Status of This Memo	Status of This Memo


	skipping to change at line 873 ¶	skipping to change at line 873 ¶

	DETs are registered to HDAs. The registration process defined in	DETs are registered to HDAs. The registration process defined in
	[DRIP-REG] ensures DET global uniqueness (ID-4 in Section 4.2.1 of	[DRIP-REG] ensures DET global uniqueness (ID-4 in Section 4.2.1 of
	[RFC9153]). It also allows the mechanism to create UAS public/	[RFC9153]). It also allows the mechanism to create UAS public/
	private data that are associated with the DET (REG-1 and REG-2 in	private data that are associated with the DET (REG-1 and REG-2 in
	Section 4.4.1 of [RFC9153]).	Section 4.4.1 of [RFC9153]).

	4.6. Remote ID Authentication Using DETs	4.6. Remote ID Authentication Using DETs

	The EdDSA25519 HI (Section 3.4) underlying the DET can be used in an	The EdDSA25519 HI (Section 3.4) underlying the DET can be used in an

	88-byte self-proof evidence (timestamp, HHIT, and signature of these)	88-byte self-proof evidence (timestamps, HHIT, and signature of
	to provide proof to Observers of Remote ID ownership (GEN-1 in	these) to provide proof to Observers of Remote ID ownership (GEN-1 in
	Section 4.1.1 of [RFC9153]). In practice, the Wrapper and Manifest	Section 4.1.1 of [RFC9153]). In practice, the Wrapper and Manifest
	authentication formats (Sections 6.3.3 and 6.3.4 of [DRIP-AUTH])	authentication formats (Sections 6.3.3 and 6.3.4 of [DRIP-AUTH])
	implicitly provide this self-proof evidence. A lookup service like	implicitly provide this self-proof evidence. A lookup service like
	DNS can provide the HI and registration proof (GEN-3 in [RFC9153]).	DNS can provide the HI and registration proof (GEN-3 in [RFC9153]).

	Similarly, for Observers without Internet access, a 200-byte offline	Similarly, for Observers without Internet access, a 200-byte offline
	self-endorsement (Section 3.1.2 of [DRIP-AUTH]) could provide the	self-endorsement (Section 3.1.2 of [DRIP-AUTH]) could provide the
	same Remote ID ownership proof. This endorsement would contain the	same Remote ID ownership proof. This endorsement would contain the
	HDA's signing of the UA's HHIT, itself signed by the UA's HI. Only a	HDA's signing of the UA's HHIT, itself signed by the UA's HI. Only a
	small cache (also Section 3.1.2 of [DRIP-AUTH]) that contains the	small cache (also Section 3.1.2 of [DRIP-AUTH]) that contains the

	skipping to change at line 1244 ¶	skipping to change at line 1244 ¶
	creation, a future algorithm that is safe for post-quantum computing	creation, a future algorithm that is safe for post-quantum computing
	that fits the Remote ID constraints may readily be added.	that fits the Remote ID constraints may readily be added.

	9.2. DET Trust in ASTM Messaging	9.2. DET Trust in ASTM Messaging

	The DET in the ASTM Basic ID Message (Msg Type 0x0, the actual Remote	The DET in the ASTM Basic ID Message (Msg Type 0x0, the actual Remote
	ID message) does not provide any assertion of trust. Truncating 4	ID message) does not provide any assertion of trust. Truncating 4
	bytes from a HI signing of the HHIT (the UA ID field is 20 bytes and	bytes from a HI signing of the HHIT (the UA ID field is 20 bytes and
	a HHIT is 16) within this Basic ID Message is the best that can be	a HHIT is 16) within this Basic ID Message is the best that can be
	done. This is not trustable, as it is too open to a hash attack.	done. This is not trustable, as it is too open to a hash attack.

	Minimally, it takes 84 bytes (Section 4.6) to prove ownership of a	Minimally, it takes 88 bytes (Section 4.6) to prove ownership of a
	DET with a full EdDSA signature. Thus, no attempt has been made to	DET with a full EdDSA signature. Thus, no attempt has been made to
	add DET trust directly within the very small Basic ID Message.	add DET trust directly within the very small Basic ID Message.

	The ASTM Authentication Message (Msg Type 0x2) as shown in	The ASTM Authentication Message (Msg Type 0x2) as shown in
	Section 4.6 can provide actual ownership proofs in a practical	Section 4.6 can provide actual ownership proofs in a practical
	manner. The endorsements and evidence include timestamps to defend	manner. The endorsements and evidence include timestamps to defend
	against replay attacks, but they do not prove which UA sent the	against replay attacks, but they do not prove which UA sent the
	message. The messages could have been sent by a dog running down the	message. The messages could have been sent by a dog running down the
	street with a Broadcast Remote ID module strapped to its back.	street with a Broadcast Remote ID module strapped to its back.


	skipping to change at line 1416 ¶	skipping to change at line 1416 ¶
	September 2019, <https://www.sesarju.eu/node/3411>.	September 2019, <https://www.sesarju.eu/node/3411>.

	[CTA2063A] ANSI/CTA, "Small Unmanned Aerial Systems Serial Numbers",	[CTA2063A] ANSI/CTA, "Small Unmanned Aerial Systems Serial Numbers",
	September 2019, <https://shop.cta.tech/products/small-	September 2019, <https://shop.cta.tech/products/small-
	unmanned-aerial-systems-serial-numbers>.	unmanned-aerial-systems-serial-numbers>.

	[DRIP-ARCH]	[DRIP-ARCH]
	Card, S. W., Wiethuechter, A., Moskowitz, R., Zhao, S.,	Card, S. W., Wiethuechter, A., Moskowitz, R., Zhao, S.,
	and A. Gurtov, "Drone Remote Identification Protocol	and A. Gurtov, "Drone Remote Identification Protocol
	(DRIP) Architecture", Work in Progress, Internet-Draft,	(DRIP) Architecture", Work in Progress, Internet-Draft,

	draft-ietf-drip-arch-30, 28 February 2023,	draft-ietf-drip-arch-31, 6 March 2023,
	<https://datatracker.ietf.org/doc/html/draft-ietf-drip-	<https://datatracker.ietf.org/doc/html/draft-ietf-drip-

	arch-30>.	arch-31>.

	[DRIP-AUTH]	[DRIP-AUTH]
	Wiethuechter, A., Card, S. W., and R. Moskowitz, "DRIP	Wiethuechter, A., Card, S. W., and R. Moskowitz, "DRIP
	Entity Tag Authentication Formats & Protocols for	Entity Tag Authentication Formats & Protocols for
	Broadcast Remote ID", Work in Progress, Internet-Draft,	Broadcast Remote ID", Work in Progress, Internet-Draft,
	draft-ietf-drip-auth-29, 15 February 2023,	draft-ietf-drip-auth-29, 15 February 2023,
	<https://datatracker.ietf.org/doc/html/draft-ietf-drip-	<https://datatracker.ietf.org/doc/html/draft-ietf-drip-
	auth-29>.	auth-29>.

	[DRIP-REG] Wiethuechter, A. and J. Reid, "DRIP Entity Tag (DET)	[DRIP-REG] Wiethuechter, A. and J. Reid, "DRIP Entity Tag (DET)

End of changes. 5 change blocks.
	7 lines changed or deleted	7 lines changed or added
This html diff was produced by rfcdiff 1.48.